Description

Security researcher Mario Gomes reported that when a previously
loaded image on a page is drag and dropped into content after a redirect, the redirected
URL is available to scripts. This is a violation of the Fetch specification's defined behavior for
"Atomic HTTP redirect handling" which states that redirected URLs are not exposed to any
APIs. This can allow for information leakage.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a risk in
browser or browser-like contexts.